Single Sign-On

Each day we access many places. Office, Car, Locker, House, Room. we have different keys or accessing mechanisms for all of them. Have you ever thought what those keys do actually?

It simply says the lock that hey this guy has the authority to be in. So let him be in. But the issue is one lock trusts only its corresponding key. So we have to use many keys for each place we are accessing. In the security sense, it is perfect. But what about the usability. You have to manage all those keys. Remember where they are take where ever you go. Pretty hard isn't it. So we identified the problem. Let's think of an answer.

We need a key that can open all the doors that we use. But that key should be trusted by all the doors. Well, one option is to ask all the doors to trust the key by adding information about the key. It's like changing the lock to support the key. Almost like using the same password. Obviously in the security sense not good. And in the usability sense, all the locks need to be changed. If a new lock came the changes need to be done again. If the key lost all the locks should be changed again. Again hard. Then whats the perfect solution.

What if there is one lock and one key and that lock can tell other locks to let me in. Let's check the boxes. What about the security well not great as having separate keys for separate locks but it does the job. What about the usability. I only have to manage one key. And that information is stored in one place. I can change easily. So in the usability sense also this works fine.

But how can this work? What are the major requirements? Now we are opening only one lock. So that lock should have the capability to tell other locks to open for me. But why should those locks open just because some lock tell them to do so? Then those locks should trust this lock. Another problem. What if someone else tries to imitate the request for open. So there should be a way to find who is exactly sending the request. And there should be a way to hide the content of the request or make it hard to understand. All these issues should be addressed when implementing Single Sign-On.

With all of these implemented, we call this the Single Sign-On. The concept is a bit simple but it creates lots of issues when implementing. Currently, this same concept is used by many applications. For example, when we sign in with Google we get access to all Google services via single sign-on. There should be an identity manager to implement this. If you are interested check with WSO2 Identity Server and its documentation for more details.